src/charon/sa/authenticator.h


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137

/**
 * @file authenticator.h
 *
 * @brief Interface of authenticator_t.
 *
 */

/*
 * Copyright (C) 2005-2006 Martin Willi
 * Copyright (C) 2005 Jan Hutter
 * Hochschule fuer Technik Rapperswil
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */

#ifndef AUTHENTICATOR_H_
#define AUTHENTICATOR_H_

#include <types.h>
#include <sa/ike_sa.h>
#include <network/packet.h>
#include <encoding/payloads/auth_payload.h>
#include <encoding/payloads/id_payload.h>


typedef struct authenticator_t authenticator_t;

/**
 * @brief Class used to authenticate a peer.
 * 
 * Currently the following two AUTH methods are supported:
 *  - SHARED_KEY_MESSAGE_INTEGRITY_CODE
 *  - RSA_DIGITAL_SIGNATURE
 * 
 * This class retrieves needed data for specific AUTH methods (RSA keys, shared secrets, etc.)
 * over an internal stored protected_ike_sa_t object or directly from the configuration_t over
 * the daemon_t object "charon".
 * 
 * @b Constructors:
 *  - authenticator_create()
 * 
 * @ingroup sa
 */
struct authenticator_t {

	/**
	 * @brief Verify's given authentication data. 
	 * 
	 * To verify a received AUTH payload the following data must be provided:
	 * - the last received IKEv2 Message from the other peer in binary form
	 * - the nonce value sent to the other peer
	 * - the ID payload of the other peer
	 *
	 * @param this 					calling object
	 * @param last_received_packet	binary representation of the last received IKEv2-Message
	 * @param my_nonce				the sent nonce (without payload header)
	 * @param my_id					my ID
	 * @param other_id				peer ID
	 * @param initiator				type of peer. TRUE, if it is original initiator, FALSE otherwise
	 * 
	 * @todo Document RSA error status types
	 * 
	 * @return
	 * 								- SUCCESS if verification successful
	 * 								- FAILED if verification failed
	 * 								- NOT_SUPPORTED if AUTH method not supported
	 * 								- NOT_FOUND if the data for specific AUTH method could not be found 
	 * 									(e.g. shared secret, rsa key)
	 */
	status_t (*verify_auth_data) (authenticator_t *this,
								  auth_payload_t *auth_payload, 
								  chunk_t last_received_packet,
								  chunk_t my_nonce,
								  identification_t *my_id,
								  identification_t *other_id,
								  bool initiator);

	/**
	 * @brief Computes authentication data and creates specific AUTH payload.
	 * 
	 * To create an AUTH payload, the following data must be provided:
	 * - the last sent IKEv2 Message in binary form
	 * - the nonce value received from the other peer
	 * - the ID payload of myself
	 * 
	 * @param this 					calling object
	 * @param[out] auth_payload		The object of typee auth_payload_t will be created at pointing location
	 * @param last_sent_packet		binary representation of the last sent IKEv2-Message
	 * @param other_nonce			the received nonce (without payload header)
	 * @param my_id					my ID
	 * @param other_id				peer ID
	 * @param initiator				type of myself. TRUE, if I'm original initiator, FALSE otherwise
	 *
	 * @todo Document RSA error status types
	 * 
	 * @return
	 * 								- SUCCESS if authentication data could be computed
	 * 								- NOT_SUPPORTED if AUTH method not supported
	 * 								- NOT_FOUND if the data for AUTH method could not be found
	 */
	status_t (*compute_auth_data) (authenticator_t *this,
								   auth_payload_t **auth_payload,
								   chunk_t last_sent_packet,
								   chunk_t other_nonce,
								   identification_t *my_id,
								   identification_t *other_id,
								   bool initiator);

	/**
	 * @brief Destroys a authenticator_t object.
	 *
	 * @param this 			calling object
	 */
	void (*destroy) (authenticator_t *this);
};

/**
 * @brief Creates an authenticator object.
 * 
 * @param ike_sa		associated ike_sa
 * @param auth_method	authentication method to use for own signature/mac
 * 
 * @return				authenticator_t object
 * 
 * @ingroup sa
 */
authenticator_t *authenticator_create(ike_sa_t *ike_sa, auth_method_t auth_method);

#endif /* AUTHENTICATOR_H_ */